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Within  the  federal  government,  IT  portfolio  management  (PJM)  emerged  as  a  fundamental  business  imperative  driven 
bj  legislation  such  as  the  Clinger  Cohen  Act  (CCA)  [1]  of  1996,  which  called  for  greater  accountability  for  perfor¬ 
mance  and  expenditures.  In  addition  to  providing  guidance  to  the  federal  government  on  how  to  improve  the  manage¬ 
ment  and  allocation  of  its  investments,  CCA  also  changed  the  organisational  structure  and  behavior  of  the  govern¬ 
ment,  vesting  more  power  in  its  CIOs.  This  article  provides  insight  into  how  the  DoD  CIO  has  approached  PJM  for 
I  A  within  the  GIG. 


In  October  2005,  die  Deputy  Secretary 
of  Defense  signed  out  DoD  Directive 
(DoDD)  8115.01,  “Information  Technol¬ 
ogy  Portfolio  Management”  [2],  which 
established  policy  and  assigned  responsi¬ 
bilities  for  the  management  of  DoD  IT 
investments  as  portfolios  that  focus  on 
improving  DoD  capabilities  and  mission 
outcomes.  Under  the  directive,  the 
responsibility  of  establishing  guidance  for 
managing  portfolios  was  placed  with  the 
ASD[NII]/DoD  CIO.  Individual  portfo¬ 
lios  manage  their  investments  using  strate¬ 
gic  plans,  GIG  architecture,  risk  manage¬ 
ment  techniques,  and  capability  goals, 
objectives,  and  performance  measures. 

As  the  benefits  of  PfM  have  become 
more  widely  recognized,  the  DoD  is  mov¬ 
ing  toward  the  management  of  all  invest¬ 
ments  (not  just  IT)  as  portfolios.  The  2005 
Quadrennial  Defense  Review  initiated  a 
process  that  has  piloted  Capability 
Portfolio  Management  (CPM)  and  speci¬ 
fied  a  structure  whereby  capabilities  will 
be  managed  in  a  series  of  portfolios.  The 
DoD  is  preparing  to  issue  an  overarching 
policy  to  formalize  a  comprehensive  DoD 
CPM  framework  based  on  the  Joint 
Capability  Area  taxonomy.  To  avoid  the 
confusion  of  having  two  portfolio 
processes  within  the  DoD,  the  DoDD 
8115.01,  “Information  Technology  PfM,” 
will  be  canceled  when  the  new  CPM  poli¬ 
cy  is  issued.  The  policies  currently  con¬ 
tained  in  DoD  Instruction  8115.02, 
“Information  Technology  PfM  Imple¬ 
mentation,”  will  be  updated  to  support  the 
CPM  framework  and  fully  merge  portfolio 
governance  structures. 

Under  this  new  framework,  capability 
portfolio  managers  will  make  recommen¬ 
dations  to  the  Deputy  Secretary  of 
Defense  and  the  Deputy’s  Advisory 
Working  Group  on  capability  develop¬ 
ment  issues  within  their  respective  portfo¬ 
lios.  They  have  no  independent  decision¬ 
making  authority  and  will  not  infringe  on 
any  existing  statutory  authorities.  For 
instance,  the  DoD  CIO’s  statutory  and 


regulatory  responsibilities  to  manage  and 
oversee  IT  resources  remain  unchanged; 
however,  they  will  now  be  executed 
through  this  more  holistic  portfolio  struc¬ 
ture.  In  essence,  capability  portfolio  man¬ 
agers  integrate,  coordinate,  and  synchro¬ 
nize  portfolio  content  by  providing  strate¬ 
gic  advice  intended  to  focus  portfolio 
capabilities. 

Traditionally  in  both 
the  commercial  sector 
and  the  federal 
government,  PfM 
has  focused  on 
IT-related  investments, 
but  in  an  ideal  world,  the 
portfolio  should  be 
inclusive  of  all 
investments:  people, 
processes,  and 
technology. 

What  Is  PfM? 

PfM  is  the  management  of  selected 
groupings  of  investments  through  inte¬ 
grated  strategic  planning,  architecture, 
measures  of  performance,  risk-manage¬ 
ment  techniques,  and  transition  plans. 
Traditionally  in  both  the  commercial  sec¬ 
tor  and  tire  federal  government,  PfM  has 
focused  on  IT-related  investments,  but  in 
an  ideal  world,  the  portfolio  should  be 
inclusive  of  all  investments:  people, 
processes,  and  technology.  In  the  simplest 
and  most  practical  terms,  PfM  focuses  on 


five  key  objectives: 

1.  Define  goals  and  objectives.  Clearly 
articulate  what  the  portfolio  is  expected 
to  achieve.  What  is  the  mission  of  the 
organization  and  how  does  it  support 
and  achieve  that  mission? 

2.  Understand,  accept,  and  make 
trade-offs.  Determine  what  to  invest  in 
and  how  much  to  invest.  Which  initia¬ 
tives  contribute  die  most  to  die  mis¬ 
sion? 

3.  Identify,  eliminate,  minimize,  and 
diversify  risk.  Select  a  mix  of  invest¬ 
ments  diat  will  avoid  undue  risk,  will 
not  exceed  acceptable  risk  tolerance 
levels,  and  will  spread  risks  across  pro¬ 
jects  and  initiatives  to  minimize  adverse 
impacts.  When  and  how  do  you  termi¬ 
nate  a  legacy  system?  At  what  point  do 
you  cancel  a  project  diat  is  behind 
schedule  and  over  budget? 

4.  Monitor  portfolio  performance. 
Understand  die  progress  your  portfolio 
is  making  towards  achieving  die  goals 
and  objectives  of  your  organization.  As 
a  whole,  is  the  portfolio’s  progress 
meeting  the  mission’s  goals? 

5.  Achieve  a  desired  objective.  Have  die 
confidence  that  die  desired  outcome 
will  likely  be  achieved  given  the  aggre¬ 
gate  of  investments  diat  are  made. 
Which  combination  of  investments 
best  supports  die  desired  outcome? 

What  Is  the  GIG? 

Everyone  hears  about  die  GIG,  but  just 
what  is  it?  The  DoD  defines  the  GIG  as 
the  following: 

...  a  globally  interconnected,  end- 
to-end  set  of  information  capabili¬ 
ties,  associated  processes,  and  per¬ 
sonnel  for  collecting,  processing, 
storing,  disseminating,  and  manag¬ 
ing  information. 

The  GIG  will  improve  interoperability 
among  the  DoD’s  many  information  and 
weapon  systems,  but  more  importantly,  it 
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Figure  1:  GIG  IA  Portfolio  Drivers 

will  help  the  DoD  to  transform  to  a  more 
network-based  -  or  net-centric  -  way  of 
fighting  wars  and  achieving  information 
superiority  over  adversaries,  much  the 
same  way  as  the  Internet  has  transformed 
industry  and  society  on  a  global  scale. 

The  GIG  will  create  an  environment 
in  which  users  can  access  data  on  demand 
from  any  location  without  having  to  rely 
on  (and  wait  for)  organizations  in  charge 
of  data  collection  to  fully  process  and  dis¬ 
seminate  the  information.  With  its  timeli¬ 
er  data  availability  and  more  robust  com¬ 
munications  infrastructure,  the  DoD 
expects  the  GIG  to  enable  more  expedi¬ 
ent  execution  of  military  operations,  col¬ 
laborative  mission  planning  and  execution, 
and  common  views  of  the  battlespace. 
The  realization  of  the  net-centric  vision 


depends  on  sound  IA  mechanisms  being 
woven  into  the  very  fabric  of  the  GIG. 
Reaching  the  GIG  vision  relies  to  a  great 
extent  upon  each  individual  program 
manager  understanding  and  being  willing 
to  be  guided  by  the  tenets  of  the  GIG. 
Applying  the  tenants  of  PfM,  the  strategy 
for  weaving  IA  into  the  GIG,  consequent¬ 
ly,  has  three  main  prongs: 

1 .  Developing  and  operationalizing  an  IA 
component  of  the  GIG  architecture 
that  provides  the  technical  road  map 
for  protecting  and  defending  the  cur¬ 
rent  and  future  GIG. 

2.  Influencing  program  managers  to 
build  their  systems  so  as  to  be  able  to 
plug  into  relevant  IA  constructs. 

3.  Ensuring  the  DoD  makes  the  proper 
investments  to  provide  the  IA  founda- 


Figure  2:  PfM  Process 


Analysis 

Links  objectives  to  vision, 
goals,  priorities,  and 
capabilities;  develop 
performance  measures;  and 
identify  gaps  and  risks. 


Evaluation 

Measures  actual  contributions 
of  portfolio  towards  improved 
capabilities  and  supports 
adjustments  to  the 
investment  mix. 


_ 


Control 

Ensures  investments  within 
portfolios  are  managed  and 

monitored  to  determine 
whether  to  continue,  modify, 
or  terminate. 

Selection 

Identifies  and  selects  best 
mix  of  investments  to  achieve 
capability  goals  and  objectives 
across  portfolio. 


_ 


tional  technology  upon  which  the  pro¬ 
grams  will  be  relying. 

What  Is  GIAP? 

The  ASD(NII)/DoD  CIO  named  the 
DASD(IIA)  as  the  domain  owner  for  the 
IA  Portfolio  who,  in  turn,  named  the 
Director,  National  Security  Agency 
(DIRNSA)  as  his  domain  agent.  As  the  IA 
domain  agent,  the  DIRNSA  leads  the 
GIAP  management  activities  through  the 
creation  of  the  GIAP  Management 
Office. 

The  GIAP  Management  Office  con¬ 
sists  of  a  GIG  IA  portfolio  manager  and 
staff  of  capability  managers  who  execute 
the  domain  agent  duties  on  behalf  of  the 
DIRNSA.  Though  located  at  the  NSA, 
this  office  performs  a  DoD  community 
service  and  draws  staff  from  across  the 
community.  At  present,  the  GIAP 
Management  Office  workforce  consists  of 
NSA  and  DISA  personnel. 

Key  IA  organizations  have  been 
appointed  as  functional  leads  to  support 
the  IA  domain  agent  in  developing  and 
executing  a  coordinated,  DoD-wide  IA 
portfolio.  The  functional  leads  are: 

•  Architecture  —  NSA  IA  Directorate. 

•  Integration  —  DISA. 

•  Operations  -  Commander,  U.S.  Stra¬ 
tegic  Command. 

•  PfM  —  GIAP  Management  Office. 

So  Why  Have  a  GIAP? 

As  the  domain  owner,  the  DASD(IIA)  has 
directed  the  GIAP  Management  Office  to 
provide  a  collection  of  capabilities  that 
will  achieve  dynamic  IA  in  support  of  net- 
centric  operations.  The  primary  focus  of 
the  GIAP  Management  Office  is  to  do  the 
following: 

•  Recommend  the  best  mix  of  invest¬ 
ments,  and  synchronize  milestones 
and  dependencies  to  achieve  die  GIG 
IA  vision. 

•  Fully  leverage  baseline  resources  from 
research  to  de-commission. 

•  Identify  approaches  to  close  all  capa¬ 
bility  gaps. 

•  Monitor  execution  of  investment 
strategies. 

•  Measure  outcomes  and  processes  and 
take  corrective  measures  as  necessary. 
The  GIAP  Management  Office  does 

not  manage  the  execution  of  service  and 
agency  IA  programs  as  this  is  the  respon¬ 
sibility  of  the  services  and  agencies  them¬ 
selves.  The  GIAP  Management  Office 
closely  examines  the  programs  to  under¬ 
stand  capabilities  on  which  they  are 
depending  for  their  success.  They  also 
look  at  the  timing  of  the  programs  to 
ensure  they  are  synchronized  logically. 
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The  GIG  IA  portfolio  manager,  in 
concert  with  the  capability  managers  and 
service/agency  representatives,  has  been 
working  hard  to  meet  these  goals.  Figure  1 
depicts  the  many  drivers  of  the  GIAP  in 
its  goal  to  provide  a  collection  of  capabil¬ 
ities  that  will  achieve  dynamic  IA  in  sup¬ 
port  of  net-centric  operations. 

Division  of  the  GIAP  Into 
Capability  Areas 

In  order  to  aid  the  GIAP  manager  in  the 
task  of  delivering  GIG  IA  capabilities  to 
DoD  customers,  the  GIAP  has  been 
divided  into  six  distinct  IA  functional 
areas  under  the  direction  of  four  capabili¬ 
ty  managers.  These  six  IA  functional  areas 
are  aligned  to  do  tire  following: 

1.  Provide  the  ability  to  dynamically  and 
securely  share  information  at  multiple 
classification  levels  among  U.S.,  allied, 
and  coalition  forces. 

2.  Protect  all  enterprise  management  and 
control  systems,  and  provide  common 
security  management  infrastructure  to 
support  enterprise  security  functions. 

3.  Provide  assurance  that  information 
does  not  change  (unless  authorized) 
from  production  to  consumption  or 
from  transmission  to  receipt. 

4.  Protect,  monitor,  analyze,  detect,  and 
respond  to  unauthorized  activity  as 
well  as  unintentional,  non-malicious 
user  errors  within  DoD  information 
systems  and  networks. 

5.  Assure  GIG  computing  and  commu¬ 
nications  resources,  services,  and 
information  are  available  and  accessi¬ 
ble  to  support  net-centric  operations. 

6.  Ensure  information  is  not  made  avail¬ 
able  or  is  not  disclosed  to  unautho¬ 
rized  individuals,  entities,  devices,  or 
processes. 

The  capability  managers  are  responsi¬ 
ble  for  providing  oversight  and  guidance 
to  all  DoD  programs  delivering  capabili¬ 
ties  within  their  functional  area.  They 
work  closely  with  the  services  and  agen¬ 
cies  managing  these  programs,  with  the 
functional  leads,  and  with  each  other.  In 
providing  this  oversight  and  guidance, 
they  follow  the  process  depicted  in 
Figure  2. 

Supporting  the  PfM  process  described 
in  Figure  2,  the  GIAP  has  developed  the 
GIG  I A  Portfolio  Plan  (GIPP)  which  sets 
forth  a  near-term  plan  in  the  context  of  a 
long-term  vision  for  fulfilling  GIG  IA- 
identified  capability  gaps  defined  in  the 
GIG  IA  Initial  Capabilities  Document 
(ICD)  [3].  While  describing  the  long-term 
vision  at  a  high  level,  this  version  of  the 
GIPP  is  particularly  focused  on  present¬ 


ing  a  plan  to  achieve  the  capabilities 
defined  in  the  IA  component  of  the  GIG 
Integrated  Architecture,  Increment  1, 
Version  1.1  [7],  The  GIPP  also  serves  as  a 
guide  for  die  GIAP  in  determining  rec¬ 
ommendations  for  the  best  mix  of  syn¬ 
chronized  investments  over  time,  and 
serves  to  inform  the  community  of  the 
near-term  plan  for  investments  and  the 
expected  availability  of  capabilities.  The 
GIPP  communicates  the  GIAP  path  by 
doing  the  following: 

•  Defining  architecturally  framed  tech¬ 
nology  evolution  strategies. 

•  Providing  practical  details  that 
describe  implementation  progress 
necessary  to  counter  adversaries,  close 

Beyond  cost,  schedule, 
and  dependencies, 
analyses  will  continue  to 
identify  possible 
duplication  of  effort 
by  one  service  or 
agency  which  could  be 
used  by  all.  Achieving 
the  GIG  vision  ... 
will  not  come  quickly  ... 


gaps  and  vulnerabilities,  and  achieve 
net-centricity. 

•  Identifying  programmatic  dependen¬ 
cies  and  synchronization  markers. 

What  Lies  Ahead 

The  GIAP  Management  Office  has  a 
huge  task  before  it  -  one  that  will  take 
several  years  to  fully  implement.  Since  its 
establishment  in  2006,  the  GIG  IA  PfM 
office’s  near-term  focus  has  been  on  issu¬ 
ing  guidance  to  the  services  and  agencies 
to  help  them  refine  their  Program 
Objective  Memorandum  ’08  and  TO  sub¬ 
missions,  plan  their  fiscal  year  ’09- 1 3  bud¬ 
get  and,  where  possible,  modify  their  fis¬ 
cal  year  ’07-08  budgets.  Beyond  cost, 
schedule,  and  dependencies,  analyses  will 
continue  to  identify  possible  duplication 
of  effort  by  one  service  or  agency  which 
could  be  used  by  all.  Achieving  the  GIG 
vision  and  associated  IA  architecture  will 
not  come  quickly  and  will  not  be  cheap, 
but  through  PfM  we  can  maximize  our 


investment  by  ensuring  that  scarce  IA 
dollars  are  spent  as  wisely  as  possible.  As 
our  insight  into  ever-changing  adversarial 
threats  deepens,  PfM  gives  us  the  agility 
to  plan,  budget,  and  support  capability 
improvements  necessary  to  sustain  an 
assured  GIG  into  the  future  by  providing 
the  best  IA  to  the  warfighting  and  ICs.^ 
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